XACML 3.0 Export Compliance-US (ECUS) Profile Version 1.0
OASIS Standard
19 January 2015
Specification URIs
This version:
http://docs.oasis-open.org/xacml/3.0/ec-us/v1.0/os/xacml-3.0-ec-us-v1.0-os.doc (Authoritative)
http://docs.oasis-open.org/xacml/3.0/ec-us/v1.0/os/xacml-3.0-ec-us-v1.0-os.html
http://docs.oasis-open.org/xacml/3.0/ec-us/v1.0/os/xacml-3.0-ec-us-v1.0-os.pdf
Previous version:
http://docs.oasis-open.org/xacml/3.0/ec-us/v1.0/csprd02/xacml-3.0-ec-us-v1.0-csprd02.doc
(Authoritative)
http://docs.oasis-open.org/xacml/3.0/ec-us/v1.0/csprd02/xacml-3.0-ec-us-v1.0-csprd02.html
http://docs.oasis-open.org/xacml/3.0/ec-us/v1.0/csprd02/xacml-3.0-ec-us-v1.0-csprd02.pdf
Latest version:
http://docs.oasis-open.org/xacml/3.0/ec-us/v1.0/xacml-3.0-ec-us-v1.0.doc (Authoritative)
http://docs.oasis-open.org/xacml/3.0/ec-us/v1.0/xacml-3.0-ec-us-v1.0.html
http://docs.oasis-open.org/xacml/3.0/ec-us/v1.0/xacml-3.0-ec-us-v1.0.pdf
Technical Committee:
OASIS eXtensible Access Control Markup Language (XACML) TC
Chairs:
Bill Parducci (bill@parducci.net), Individual member
Hal Lockhart (hal.lockhart@oracle.com), Oracle
Editors:
John Tolbert (john.tolbert@queraltinc.com), Queralt, Inc.
Paul Tyson (ptyson@bellhelicopter.textron.com), Bell Helicopter Textron
Richard C. Hill (richard.c.hill@boeing.com), The Boeing Company
Related work:
This specification is related to:
eXtensible Access Control Markup Language (XACML) Version 3.0. Edited by Erik Rissanen.
Latest version. http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-en.html.
Abstract:
This specification defines a profile for the use of XACML in expressing policies for complying with
USA government regulations for export compliance (EC). It defines standard attribute identifiers
useful in such policies, and recommends attribute value ranges for certain attributes.
Status:
This document was last revised or approved by the membership of OASIS on the above date.
The level of approval is also listed above. Check the “Latest version” location noted above for
possible later revisions of this document. Any other numbered Versions and other technical work
produced by the Technical Committee (TC) are listed at https://www.oasisopen.org/committees/tc_home.php?wg_abbrev=xacml#technical.
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 1 of 21
TC members should send comments on this specification to the TC’s email list. Others should
send comments to the TC’s public comment list, after subscribing to it by following the
instructions at the “Send A Comment” button on the TC’s web page at https://www.oasisopen.org/committees/xacml/.
For information on whether any patents have been disclosed that may be essential to
implementing this specification, and any offers of patent licensing terms, please refer to the
Intellectual Property Rights section of the Technical Committee web page (https://www.oasisopen.org/committees/xacml/ipr.php).
Citation format:
When referencing this specification the following citation format should be used:
[xacml-ec-us-v1.0]
XACML 3.0 Export Compliance US (EC-US) Profile Version 1.0. Edited by John Tolbert, Paul
Tyson, and Richard C. Hill. 19 January 2015. OASIS Standard. http://docs.oasisopen.org/xacml/3.0/ec-us/v1.0/os/xacml-3.0-ec-us-v1.0-os.html. Latest version: http://docs.oasisopen.org/xacml/3.0/ec-us/v1.0/xacml-3.0-ec-us-v1.0.html.
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 2 of 21
Notices
Copyright © OASIS Open 2015. All Rights Reserved.
All capitalized terms in the following text have the meanings assigned to them in the OASIS Intellectual
Property Rights Policy (the "OASIS IPR Policy"). The full Policy may be found at the OASIS website.
This document and translations of it may be copied and furnished to others, and derivative works that
comment on or otherwise explain it or assist in its implementation may be prepared, copied, published,
and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice
and this section are included on all such copies and derivative works. However, this document itself may
not be modified in any way, including by removing the copyright notice or references to OASIS, except as
needed for the purpose of developing any document or deliverable produced by an OASIS Technical
Committee (in which case the rules applicable to copyrights, as set forth in the OASIS IPR Policy, must
be followed) or as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors
or assigns.
This document and the information contained herein is provided on an "AS IS" basis and OASIS
DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY
OWNERSHIP RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE.
OASIS requests that any OASIS Party or any other party that believes it has patent claims that would
necessarily be infringed by implementations of this OASIS Committee Specification or OASIS Standard,
to notify OASIS TC Administrator and provide an indication of its willingness to grant patent licenses to
such patent claims in a manner consistent with the IPR Mode of the OASIS Technical Committee that
produced this specification.
OASIS invites any party to contact the OASIS TC Administrator if it is aware of a claim of ownership of
any patent claims that would necessarily be infringed by implementations of this specification by a patent
holder that is not willing to provide a license to such patent claims in a manner consistent with the IPR
Mode of the OASIS Technical Committee that produced this specification. OASIS may include such
claims on its website, but disclaims any obligation to do so.
OASIS takes no position regarding the validity or scope of any intellectual property or other rights that
might be claimed to pertain to the implementation or use of the technology described in this document or
the extent to which any license under such rights might or might not be available; neither does it
represent that it has made any effort to identify any such rights. Information on OASIS' procedures with
respect to rights in any document or deliverable produced by an OASIS Technical Committee can be
found on the OASIS website. Copies of claims of rights made available for publication and any
assurances of licenses to be made available, or the result of an attempt made to obtain a general license
or permission for the use of such proprietary rights by implementers or users of this OASIS Committee
Specification or OASIS Standard, can be obtained from the OASIS TC Administrator. OASIS makes no
representation that any information or list of intellectual property rights will at any time be complete, or
that any claims in such list are, in fact, Essential Claims.
The name "OASIS" is a trademark of OASIS, the owner and developer of this specification, and should be
used only to refer to the organization and its official outputs. OASIS welcomes reference to, and
implementation and use of, specifications, while reserving the right to enforce its marks against
misleading uses. Please see https://www.oasis-open.org/policies-guidelines/trademark for above
guidance.
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 3 of 21
Table of Contents
1
Introduction ........................................................................................................................................... 5
1.1 Glossary .............................................................................................................................................. 5
1.2 Terminology ........................................................................................................................................ 6
1.3 Normative References ........................................................................................................................ 6
1.4 Non-Normative References ................................................................................................................ 6
1.5 Scope .................................................................................................................................................. 7
1.6 Disclaimer ........................................................................................................................................... 7
2
Profile ................................................................................................................................................... 8
2.1 Resource Attributes ............................................................................................................................ 8
2.1.1 Jurisdiction................................................................................................................................... 8
2.1.2 ECCN .......................................................................................................................................... 8
2.1.3 USML ........................................................................................................................................... 8
2.1.4 Authority-to-export ....................................................................................................................... 8
2.1.5 Effective-Date .............................................................................................................................. 9
2.1.6 Expiration-Date ............................................................................................................................ 9
2.1.7 Work-effort ................................................................................................................................... 9
2.2 Subject Attributes ................................................................................................................................ 9
2.2.1 Nationality .................................................................................................................................... 9
2.2.2 Current nationality ....................................................................................................................... 9
2.2.3 Location ....................................................................................................................................... 9
2.2.4 Organization .............................................................................................................................. 10
2.2.5 US Person ................................................................................................................................. 10
3
Identifiers ............................................................................................................................................ 11
3.1 Profile Identifier ................................................................................................................................. 11
4
Examples (non-normative) ................................................................................................................. 12
4.1 Commerce Control List rule .............................................................................................................. 12
4.2 State Department agreement ........................................................................................................... 13
5
Conformance ...................................................................................................................................... 16
5.1 Attribute Identifiers ............................................................................................................................ 16
5.2 Attribute Values ................................................................................................................................ 16
Appendix A.
Acknowledgements ........................................................................................................... 18
Appendix B.
Revision History ................................................................................................................ 21
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 4 of 21
1
1 Introduction
2
{non-normative}
3
4
5
6
This specification defines a profile for the use of the OASIS eXtensible Access Control Markup Language
(XACML) [XACML] to write policies that reflect the intent of United States government, particularly the
Department of Commerce export compliance (EC) laws and regulations. Use of this profile requires no
changes or extensions to the [XACML] standard.
7
8
9
This specification begins with a non-normative discussion of the topics of interest in this profile. The
normative section of the specification describes the attributes defined by this profile and provides
recommended usage patterns for attribute values.
10
11
12
This specification assumes the reader is somewhat familiar with XACML. A brief overview sufficient to
understand these examples is available in [XACMLIntro]. Information about USA government export
laws and regulations can be found at [BIS] and [DDTC].
13
14
15
16
17
18
Any U.S. organization that ships goods, materials, software, and/or technical information may be subject
to U.S. export control laws. Non-military products may be classified according to the U.S. Department of
Commerce “Commerce Control List”. Military products are controlled according to the United States
Munitions List. Destination countries are also classified by a variety of criteria. Even specific entities and
individuals may have restrictions. The recipient’s U.S. person status, location, and organization must also
be taken into account in these export control authorization decisions.
19
20
This EC-US profile provides a standard framework for the subject and resource attributes that must be
considered for U.S. export control decisions.
21
1.1 Glossary
22
Authority-to-export
23
24
25
26
27
A legal agreement authorizing exports. An export license is an example of an authorization
document between the authoritative agency and an organization which has requested an
exception to allow exports to otherwise prohibited locations. “NLR” (No License Required)
indicates that no export license is required for the export of the item in question.
CCL, Commerce Control List
28
29
Regulations that define the geopolitical restrictions on goods and services covered by EAR.
Country
30
31
32
A national political administrative unit recognized, for diplomatic and trade purposes, by the US
government.
Current nationality
33
34
35
For any person, the current nationality is the country that most recently granted citizenship to
that person.
EAR
36
37
38
39
40
41
42
43
44
Export Administration Regulations, US laws and regulations administered by the Department of
Commerce.
ECCN
Export Control Classification Number, a classification system for data and products covered by
EAR.
Effective date
The date on which an authorization document or export license takes effect, thereby implying
access for authorized purposes.
Expiration date
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 5 of 21
45
46
47
The date on which an authorization document or export license expires, thereby terminating
access.
ITAR
48
49
50
International Traffic in Arms Regulations; USA laws and regulations administered by the
Department of State.
Jurisdiction
51
52
53
The US department which governs the applicable export regulations: either Department of
Commerce for EAR or Department of State for ITAR.
Location
54
55
The country in which a person is currently located.
Nationality
56
57
A country of which a person is a citizen.
Organization
58
59
60
61
62
63
64
65
66
67
68
A company or other legal entity of which a person can be an employee or agent.
USML
United States Munitions List, a classification system for data and products covered by ITAR.
US Person
A designation that a person meets the requirements to be considered exempt from most US
government export regulations.
Work effort
This attribute can be used to indicate the specific work effort, statement of work, project, or
program which is associated with the export-controlled resource. This attribute provides
additional granularity to limit access to users within organizations to those with a specific need to
know for a given work effort.
69
1.2 Terminology
70
71
72
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD
NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described
in [RFC2119].
73
1.3 Normative References
74
75
76
77
78
79
80
81
82
83
84
85
[RFC2119]
[XACML]
S. Bradner, Key words for use in RFCs to Indicate Requirement Levels,
http://www.ietf.org/rfc/rfc2119.txt, IETF RFC 2119, March 1997.
OASIS, Committee Draft 02, 21 January 2010, eXtensible Access Control
Markup Language (XACML) Version 3.0, http://docs.oasisopen.org/xacml/3.0/xacml-3.0-core-spec-cd-04-en.doc.
1.4 Non-Normative References
[BIS]
[DDTC]
[ISO3166]
US Department of Commerce Bureau of Industry and Security,
http://www.bis.doc.gov/.
US Department of State Directorate of Defense Trade Controls,
http://www.pmddtc.state.gov/.
ISO 3166 Maintenance agency (ISO 3166/MA),
http://www.iso.org/iso/country_codes.htm.
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 6 of 21
86
87
88
[XACMLIntro]
OASIS XACML TC, A Brief Introduction to XACML, 14 March 2003,
http://www.oasisopen.org/committees/download.php/2713/Brief_Introduction_to_XACML.html.
89
1.5 Scope
90
91
92
93
Many export compliance decisions can be made on the basis of the subject’s location, organization, and
nationalities (including country of birth) or current nationality, and the resource’s ECCN or USML
classification. This profile defines standard XACML attributes for these properties, and recommends the
use of standardized attribute values.
94
95
96
In practice, an organization’s export compliance policies will be a mixture of rules derived from US
government laws and regulations, along with enterprise-specific rules derived from government-approved
bilateral or multilateral agreements with foreign organizations.
97
1.6 Disclaimer
98
99
100
101
102
103
NOTHING IN THIS PROFILE IS INTENDED TO BE A LEGALLY CORRECT INTERPRETATION OR
APPLICATION OF US GOVERNMENT EXPORT LAWS OR REGULATIONS. USE OF THIS PROFILE IN
AN ACCESS CONTROL SYSTEM DOES NOT CONSTITUTE COMPLIANCE WITH US EXPORT
RESTRICTIONS. THIS PROFILE HAS NOT BEEN REVIEWED OR ENDORSED BY THE US
GOVERNMENT AGENCIES RESPONSIBLE FOR ENFORCING USA EXPORT LAWS, NOR BY ANY
LEGAL EXPERT IN THIS FIELD.
104
105
Organizations that use this profile should ensure their export compliance by consulting the resources at
[BIS] and [DDTC], and by engaging qualified professional legal services.
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 7 of 21
106
2 Profile
107
2.1 Resource Attributes
108
2.1.1 Jurisdiction
109
110
111
To identify whether a resource is controlled under [ITAR] or [EAR], the following attribute identifier shall
be used:
urn:oasis:names:tc:xacml:3.0:ec-us:resource:jurisdiction
112
113
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string. The value of the
attribute SHALL be “ITAR” or “EAR”.
114
2.1.2 ECCN
115
116
ECCN classification values shall be designated with the following attribute identifier:
urn:oasis:names:tc:xacml:3.0:ec-us:resource:eccn
117
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.
118
119
The attribute value (or pattern) used in equality or matching comparisons (in policies), and the attribute
values used in the decision context SHALL conform to the following requirements:
120
121
122
123
124
125
Items without an ECCN may be identified as “EAR99”.
126
All comparisons shall be case-sensitive.
127
2.1.3 USML
128
129
USML classification values shall be designated with the following attribute identifier:
urn:oasis:names:tc:xacml:3.0:ec-us:resource:usml
130
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.
131
132
The attribute value (or pattern) used in equality or matching comparisons (in policies), and the attribute
values used in the decision context SHALL conform to the following requirements:
133
134
135
136
137
138
139
140
2.1.4 Authority-to-export
141
142
Authorization-document values shall be designated with the following attribute identifier:
urn:oasis:names:tc:xacml:3.0:ec-us:resource:authority-to-export
143
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.
The base ECCN classification shall be 5 characters with upper-case letters.
9A120
Subclassification levels may be used, corresponding to the subparagraph labels in the CCL. The
subclassification designators shall be delimited with dots (“.”).
3A001.b.1.a.4.c
The minimal value (or pattern) shall consist of an upper-case roman numeral (in the range specified
by the USML), followed by a balanced set of parentheses containing a single lower-case letter.
VIII(i)
Additional balanced parentheses may be appended to the minimal value (or pattern), corresponding
to subparagraph designations in the USML.
V(b)(7)(c)(2)
All comparisons shall be case-sensitive.
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 8 of 21
144
145
146
147
Authority-to-export values may include “EAR99”, “NLR” (No License Required), or the type of license as
well as license numbers for tracking. Examples of license types include TAA (Technical Assistance
Agreement, a type of ITAR license), MLA (Manufacturing License Agreement, a type of ITAR license), or
EAR. Examples of attribute values could be TA1234-56 or AG1234-56.
148
2.1.5 Effective-Date
149
150
Effective-date values shall be designated with the following attribute identifier:
urn:oasis:names:tc:xacml:3.0:ec-us:resource:effective-date
151
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#date.
152
153
This attribute can be used to indicate the date on which an export license takes effect, thereby implying
access for authorized purposes.
154
2.1.6 Expiration-Date
155
156
Expiration-date values shall be designated with the following attribute identifier:
urn:oasis:names:tc:xacml:3.0:ec-us:resource:expiration-date
157
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#date.
158
The date on which an export license expires, thereby terminating access.
159
2.1.7 Work-effort
160
161
Work-effort values shall be designated with the following attribute identifier:
urn:oasis:names:tc:xacml:3.0:ec-us:resource:work-effort
162
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.
163
164
165
This attribute can be used to indicate the specific work effort, statement of work, project, or program
which is associated with the export-controlled resource. This attribute provides additional granularity to
limit access to users within organizations to those with a specific need to know for a given work effort.
166
2.2 Subject Attributes
167
2.2.1 Nationality
168
169
Nationality values applicable to a subject SHALL be designated with the following attribute identifier:
urn:oasis:names:tc:xacml:3.0:ec-us:subject:nationality
170
171
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string. The value of this
attribute MUST be in the range of 2-letter country codes defined by [ISO3166].
172
173
A request context may have several instances of this attribute to reflect multiple citizenships held by a
subject. Nationality must include country of birth if different from other nationalities held by the subject.
174
2.2.2 Current nationality
175
176
177
The most recent nationality value applicable to a subject SHALL be designated with the following attribute
identifier:
urn:oasis:names:tc:xacml:3.0:ec-us:subject:current-nationality
178
179
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string. The value of this
attribute MUST be in the range of 2-letter country codes defined by [ISO3166].
180
2.2.3 Location
181
182
The current geographical location of a subject SHALL be designated with the following attribute identifier:
urn:oasis:names:tc:xacml:3.0:ec-us:subject:location
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 9 of 21
183
184
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string. The value of this
attribute MUST be in the range of 2-letter country codes defined by [ISO3166].
185
2.2.4 Organization
186
187
188
The organization of which the subject is an employee or agent SHALL be designated with the following
attribute identifier:
urn:oasis:names:tc:xacml:3.0:ec-us:subject:organization
189
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#string.
190
191
192
Organization shall denote the organization to which the subject in the request belongs. A common
scheme such as DUNS SHOULD be used to promote interoperability.
193
2.2.5 US Person
194
195
The following attribute identifier SHALL be used to designate a subject’s status as a US person:
urn:oasis:names:tc:xacml:3.0:ec-us:subject:us-person
196
The DataType of this attribute is http://www.w3.org/2001/XMLSchema#boolean.
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 10 of 21
197
3 Identifiers
198
This profile defines the following URN identifiers.
199
3.1 Profile Identifier
200
201
202
The following identifier SHALL be used as the identifier for this profile when an identifier in the form of a
URI is required.
urn:oasis:names:tc:xacml:3.0:profiles:ec-us
203
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 11 of 21
204
4 Examples (non-normative)
205
This section contains two examples illustrating the use of the attribute IDs defined by this profile.
206
207
208
209
210
211
212
213
214
215
216
The following entity definitions are used in these examples
217
Some required attributes, not essential for understanding, are omitted from the examples.
218
4.1 Commerce Control List rule
219
This illustrates one way to implement a rule for an ECCN as defined in the CCL. In English
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
Deny access to persons and locations in the anti-terrorism (AT1) and non-proliferation (NP1) country lists
if the resource has ECCN starting with “3A980”.
<!ENTITY ec-us-subj “urn:oasis:names:tc:xacml:3.0:ec-us:subject:”>
<!ENTITY ec-us-res “urn:oasis:names:tc:xacml:3.0:ec-us:resource:”>
<!ENTITY func10 “urn:oasis:names:tc:xacml:1.0:function:”>
<!ENTITY resource_category
“urn:oasis:names:tc:xacml:3.0:attribute-category:resource”>
<!ENTITY subject_category
“urn:oasis:names:tc:xacml:1.0:subject-category:access-subject”>
<!ENTITY xacml-res “urn:oasis:names:tc:xacml:1.0:resource:”>
<!ENTITY xs “http://www.w3.org/2001/XMLSchema#”>
<!ENTITY rca "urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:">
[a1]
<Policy
[a2]
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
[a3]
PolicyId="urn:oasis:names:tc:xacml:3.0:ec-us:example:CCL"
[a4]
RuleCombiningAlgId="&rca;first-applicable"
[a5]
Version="1.0">
[a6]
<Description>Simple rule for one ECCN.</Description>
[a7]
<Target/>
[a8]
<VariableDefinition VariableId="AT1">
[a9]
<Apply FunctionId="&func10;any-of-any">
[a10]
<Function FunctionId="&func10;string-equal"/>
[a11]
<Apply FunctionId="&func10;string-union">
[a12]
<AttributeDesignator
[a13]
AttributeId="&ec-us-subj;current-nationality"
[a14]
Category="&subject_category;"
[a15]
DataType="&xs;string"
[a16]
MustBePresent="false"/>
[a17]
<AttributeDesignator
[a18]
AttributeId="&ec-us-subj;location"
[a19]
Category="&subject_category;"
[a20]
DataType="&xs;string"
[a21]
MustBePresent="false"/>
[a22]
</Apply>
[a23]
<Apply FunctionId="&func10;string-bag">
[a24]
<AttributeValue DataType="&xs;string">SD</AttributeValue>
[a25]
<AttributeValue DataType="&xs;string">SY</AttributeValue>
[a26]
</Apply>
[a27]
</Apply>
[a28]
</VariableDefinition>
[a29]
<VariableDefinition VariableId="NP1">
[a30]
<Apply FunctionId="&func10;any-of-any">
[a31]
<Function FunctionId="&func10;string-equal"/>
[a32]
<Apply FunctionId="&func10;string-union">
[a33]
<AttributeDesignator
[a34]
AttributeId="&ec-us-subj;current-nationality"
[a35]
Category="&subject_category;"
[a36]
DataType="&xs;string"
[a37]
MustBePresent="false"/>
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 12 of 21
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
[a38]
<AttributeDesignator
[a39]
AttributeId="&ec-us-subj;location"
[a40]
Category="&subject_category;"
[a41]
DataType="&xs;string"
[a42]
MustBePresent="false"/>
[a43]
</Apply>
[a44]
<Apply FunctionId="&func10;string-bag">
[a45]
<AttributeValue DataType="&xs;string">IR</AttributeValue>
[a46]
<AttributeValue DataType="&xs;string">PK</AttributeValue>
[a47]
</Apply>
[a48]
</Apply>
[a49]
</VariableDefinition>
[a50]
<Rule Effect="Deny" RuleId="3A980">
[a51]
<Description>
[a52]
Voice print identification and analysis equipment and parts"
[a53]
</Description>
[a54]
<Target>
[a55]
<AnyOf>
[a56]
<AllOf>
[a57]
<Match MatchId="&func10;string-regexp-match">
[a58]
<AttributeValue DataType="&xs;string">^3A980.*</AttributeValue>
[a59]
<AttributeDesignator
[a60]
AttributeId="&ec-us-res;eccn"
[a61]
Category="&resource_category;"
[a62]
DataType="&xs;string"
[a63]
MustBePresent="false"/>
[a64]
</Match>
[a65]
</AllOf>
[a66]
</AnyOf>
[a67]
</Target>
[a68]
<Condition>
[a69]
<Apply FunctionId="&func10;or">
[a70]
<VariableReference VariableId="AT1"/>
[a71]
<VariableReference VariableId="NP1"/>
[a72]
</Apply>
[a73]
</Condition>
[a74]
</Rule>
[a75] </Policy>
297
298
[a8-a28] Define a variable that returns true if the subject’s current-nationality or location is “SD”
or “SY”. These are the countries listed under the anti-terrorism reason for control in the CCL.
299
300
[a29-a49] Define another variable to check if current-nationality or location is in the group of
countries controlled for nuclear non-proliferation.
301
302
NOTE: In a real policy, it would be convenient to define variables corresponding to each
“reason for control” in the CCL. This example only refers to 2 such variables.
303
[a50] Define a rule that applies to resources with an ECCN classification (eccn) of “3A980”.
304
305
[a68-a73] Test if subject has a current-nationality or location that is controlled for this
classification.
306
307
NOTE: A real policy could have rules for every ECCN classification used in the enterprise
(or defined by [BIS]).
308
4.2 State Department agreement
309
This illustrates one way to write a XACML policy to implement an export authorization. In English:
310
311
312
Employees of BrazilEnterprise and employees of CanadianEnterprise who have no other nationality
attributes than “CA” or BR” are permitted to view resources identified with an “EXP” suffix that are
classified as “ITAR” and have USML code “VIII(h)”.
313
314
The (fictional) authorizing document is a Technical Assistance Agreement (TAA) identified as “TA-XYZ00”.
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 13 of 21
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
[b1]
[b2]
[b3]
[b4]
[b5]
[b6]
[b7]
[b8]
[b9]
[b10]
[b11]
[b12]
[b13]
[b14]
[b15]
[b16]
[b17]
[b18]
[b19]
[b20]
[b21]
[b22]
[b23]
[b24]
[b25]
[b26]
[b27]
[b28]
[b29]
[b30]
[b31]
[b32]
[b33]
[b34]
[b35]
[b36]
[b37]
[b38]
[b39]
[b40]
[b41]
[b42]
[b43]
[b44]
[b45]
[b46]
[b47]
[b48]
[b49]
[b50]
[b51]
[b52]
[b53]
[b54]
[b55]
[b56]
[b57]
[b58]
[b59]
[b60]
[b61]
[b62]
[b63]
[b64]
<Policy
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="TA-XYZ-00"
RuleCombiningAlgId="&rca;first-applicable"
Version="1.0">
<Description>
Permit exports to Canadian and Brazilian partners.
</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="&func10;string-regexp-match">
<AttributeValue DataType="&xs;string">EXP$</AttributeValue>
<AttributeDesignator
AttributeId="&xacml-res;resource-id"
Category="&resource_category;"
DataType="&xs;string"
MustBePresent="false"/>
</Match>
<Match MatchId="&func10;string-equal">
<AttributeValue DataType="&xs;string">ITAR</AttributeValue>
<AttributeDesignator
AttributeId="&ec-us-res;jurisdiction"
Category="&resource_category;"
DataType="&xs;string"
MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="&func10;string-equal">
<AttributeValue DataType="&xs;string"
>BrazilEnterprise</AttributeValue>
<AttributeDesignator
AttributeId="&ec-us-subj;organization"
Category="&subject_category;"
DataType="&xs;string"
MustBePresent="false"/>
</Match>
</AllOf>
<AllOf>
<Match MatchId="&func10;string-equal">
<AttributeValue DataType="&xs;string"
>CanadianEnterprise</AttributeValue>
<AttributeDesignator
AttributeId="&ec-us-subj;organization"
Category="&subject_category;"
DataType="&xs;string"
MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<VariableDefinition VariableId="TA-XYZ-00-nationalities">
<Apply FunctionId="&func10;string-subset">
<AttributeDesignator
AttributeId="&ec-us-subj;nationality"
Category="&subject_category;"
DataType="&xs;string"
MustBePresent="false"/>
<Apply FunctionId="&func10;string-bag">
<AttributeValue DataType="&xs;string">BR</AttributeValue>
<AttributeValue DataType="&xs;string">CA</AttributeValue>
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 14 of 21
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
[b65]
[b66]
[b67]
[b68]
[b69]
[b70]
[b71]
[b72]
[b73]
[b74]
[b75]
[b76]
[b77]
[b78]
[b79]
[b80]
[b81]
[b82]
[b83]
[b84]
[b85]
[b86]
[b87]
[b88]
403
404
[b10-b29] This policy applies to resources with resource-id ending in “EXP” that have jurisdiction
equal to “ITAR”.
405
406
[b30-b53] This policy applies to subjects who work for (have organization attribute) of
“BrazilianEnterprise” or “CanadianEnterprise”.
407
[b55-b67] Define a variable to test that all nationality values are in the set (“BR”, “CA”).
408
409
[b68-b87] Define a rule that permits access if the usml is “VIII(h)” and the subject’s nationality values
are all in the specified set.
410
411
</Apply>
</Apply>
</VariableDefinition>
<Rule Effect="Permit" RuleId="permit-TA-XYZ-00">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="&func10;string-equal">
<AttributeValue DataType="&xs;string"
>VIII(h)</AttributeValue>
<AttributeDesignator
AttributeId="&ec-us-res;usml"
Category="&resource_category;"
DataType="&xs;string"
MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<VariableReference VariableId="TA-XYZ-00-nationalities"/>
</Condition>
</Rule>
</Policy>
NOTE: For correct evaluation, the request context must contain the complete set of
nationality values (including country of birth) for the subject.
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 15 of 21
412
5 Conformance
413
414
Conformance to this profile is defined for policies and requests generated and transmitted within and
between XACML systems.
415
5.1 Attribute Identifiers
416
417
418
Conformant XACML policies and requests SHALL use the attribute identifiers defined in Section 2 for
their specified purpose, and SHALL NOT use any other identifiers for the purposes defined by attributes
in this profile. The following table lists the attributes that must be supported.
419
Note: “M” is mandatory “O” is optional.
420
Identifiers
urn:oasis:names:tc:xacml:3.0:ec-us:resource:jurisdiction
M
urn:oasis:names:tc:xacml:3.0:ec-us:resource:eccn
M
urn:oasis:names:tc:xacml:3.0:ec-us:resource:usml
M
urn:oasis:names:tc:xacml:3.0:ec-us:resource:authority-to-export
M
urn:oasis:names:tc:xacml:3.0:ec-us:resource:effective-date
M
urn:oasis:names:tc:xacml:3.0:ec-us:resource:expiration-date
M
urn:oasis:names:tc:xacml:3.0:ec-us:resource:work-effort
M
urn:oasis:names:tc:xacml:3.0:ec-us:subject:nationality
M
urn:oasis:names:tc:xacml:3.0:ec-us:subject:current-nationality
M
urn:oasis:names:tc:xacml:3.0:ec-us:subject:organization
M
urn:oasis:names:tc:xacml:3.0:ec-us:subject:us-person
M
urn:oasis:names:tc:xacml:3.0:ec-us:subject:location
M
421
422
5.2 Attribute Values
423
424
Conformant XACML policies and requests SHALL use attribute values in the specified range or patterns
as defined for each attribute in Section 2 (when a range or pattern is specified).
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 16 of 21
425
426
427
NOTE: In order to process conformant XACML policies and requests correctly, PIP and
PEP modules may have to translate native data values into the datatypes and formats
specified in this profile.
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 17 of 21
428
Appendix A. Acknowledgements
429
430
The following individuals have participated in the creation of this specification and are gratefully
acknowledged:
431
432
433
434
435
Participants:
John Tolbert, The Boeing Company
Paul Tyson, Bell Helicopter Textron
Richard Hill, The Boeing Company
436
Committee members during profile development:
Person
Organization
Role
David Brossard
Axiomatics
Voting Member
Gerry Gebel
Axiomatics
Member
Srijith Nair
Axiomatics
Member
Erik Rissanen
Axiomatics
Voting Member
Richard Skedd
BAE SYSTEMS plc
Member
Abbie Barbir
Bank of America
Member
Radu Marian
Bank of America
Member
Bank of America
Member
Rakesh
Radhakrishnan
Paul Tyson
Bell Helicopter Textron
Inc.
Voting Member
Ronald Jacobson
CA Technologies
Member
Masum Hasan
Cisco Systems
Member
Anil Tappetla
Cisco Systems
Member
Gareth Richards
EMC
Member
Remon Sinnema
EMC
Voting Member
Matt Crooke
First Point Global Pty Ltd.
Member
Allan Foster
Forgerock Inc.
Member
Michiharu Kudo
IBM
Member
Sridhar Muppidi
IBM
Member
Vernon Murdoch
IBM
Member
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 18 of 21
Nataraj Nagaratnam
IBM
Member
Gregory Neven
IBM
Member
Franz-Stefan Preiss
IBM
Member
Ron Williams
IBM
Member
David Chadwick
Individual
Member
David Choy
Individual
Member
Bill Parducci
Individual
Chair
Richard Sand
Individual
Member
Mike Schmidt
Individual
Member
David Staggs
Jericho Systems
Voting Member
Thomas Hardjono
M.I.T.
Member
Anthony Nadalin
Microsoft
Voting Member
Andy Han
NextLabs, Inc.
Member
Naomaru Itoi
NextLabs, Inc.
Member
Kamalendu Biswas
Oracle
Member
Willem de Pater
Oracle
Member
Subbu Devulapalli
Oracle
Member
Rich Levinson
Oracle
Secretary
Hal Lockhart
Oracle
Chair
Sid Mishra
Oracle
Member
Prateek Mishra
Oracle
Member
Roger Wigenstam
Oracle
Member
YanJiong WANG
Primeton Technologies,
Inc.
Member
Danny Thorpe
Quest Software
Voting Member
Kenneth Peeples
Red Hat
Member
Anil Saldhana
Red Hat
Member
Darran Rolls
SailPoint Technologies
Member
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 19 of 21
Jan Herrmann
Siemens AG
Member
Crystal Hayes
The Boeing Company
Voting Member
Richard Hill
The Boeing Company
Voting Member
John Tolbert
The Boeing Company
Voting Member
Transglobal Secure
Jean-Paul Buu-Sao
Collaboration Participation,
Voting Member
Inc. (TSCP)
Martin Smith
John Davis
Duane DeCouteau
Mohammad Jafari
US Department of
Homeland Security
Veterans Health
Administration
Veterans Health
Administration
Veterans Health
Administration
Member
Voting Member
Member
Voting Member
Steven Legg
ViewDS
Voting Member
Johann Nallathamby
WSO2
Member
Asela Pathberiya
WSO2
Member
Prabath Siriwardena
WSO2
Member
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 20 of 21
437
Appendix B. Revision History
438
Revision
Date
Editor
Changes Made
WD 1
4/17/2009
John Tolbert
Initial draft
WD 2
6/2/2009
John Tolbert
Added descriptions and conformance section
CD 1
7/2/2009
John Tolbert/Paul
Tyson
Annotated examples
CD 2
9/2/2009
Paul Tyson
Add conformance table
CD3
2/11/2010
Paul Tyson
Updated table of contents
WD3
11/28/2012
John Tolbert
Changed “Classification” to “Jurisdiction”,
added “License” as a resource attribute, and
updated membership list.
WD4
6/4/2012
John Tolbert/Paul
Tyson/Richard Hill
Changed “License” to “Authorizationdocument”, and added “Effective-date” and
“Expiration-date”.
Added DataType to ECCN, USML, and
Organization attributes.
Updated examples.
CSD5
12/13/2012
John Tolbert/Richard
Hill
Changed “Authorization-document” to
“Authority-to-export”, added “Work-effort” as
resource attribute.
439
xacml-3.0-ec-us-v1.0-os
Standards Track Work Product
Copyright © OASIS Open 2015. All Rights Reserved.
19 January 2015
Page 21 of 21
